From e7d71d43c34e3d84e23e9093a3dd16a7f905d927 Mon Sep 17 00:00:00 2001 From: Martin Kanis Date: Fri, 30 Aug 2024 11:44:29 +0200 Subject: [PATCH] Identity Provider secret visible in Organization tab (API request) Closes #32486 Signed-off-by: Martin Kanis --- ...OrganizationIdentityProvidersResource.java | 6 +++--- ...izationOIDCBrokerSelfRegistrationTest.java | 21 +++++++++++++++++++ 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java b/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java index 0619b1ee39..14cd29dc80 100644 --- a/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java +++ b/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProvidersResource.java @@ -29,7 +29,6 @@ import jakarta.ws.rs.core.Response; import jakarta.ws.rs.core.Response.Status; import jakarta.ws.rs.ext.Provider; -import java.util.Objects; import java.util.stream.Stream; import org.eclipse.microprofile.openapi.annotations.Operation; @@ -42,6 +41,7 @@ import org.keycloak.models.ModelException; import org.keycloak.models.OrganizationModel; import org.keycloak.models.RealmModel; import org.keycloak.models.utils.ModelToRepresentation; +import org.keycloak.models.utils.StripSecretsUtils; import org.keycloak.organization.OrganizationProvider; import org.keycloak.representations.idm.IdentityProviderRepresentation; import org.keycloak.services.ErrorResponse; @@ -117,7 +117,7 @@ public class OrganizationIdentityProvidersResource { throw ErrorResponse.error("Identity provider not associated with the organization", Status.NOT_FOUND); } - return ModelToRepresentation.toRepresentation(realm, broker); + return toRepresentation(broker); } @Path("{alias}") @@ -142,7 +142,7 @@ public class OrganizationIdentityProvidersResource { } private IdentityProviderRepresentation toRepresentation(IdentityProviderModel idp) { - return ModelToRepresentation.toRepresentation(realm, idp); + return StripSecretsUtils.stripSecrets(session, ModelToRepresentation.toRepresentation(realm, idp)); } private boolean isOrganizationBroker(IdentityProviderModel broker) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/broker/OrganizationOIDCBrokerSelfRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/broker/OrganizationOIDCBrokerSelfRegistrationTest.java index 89f829cf7a..dbbe9d94c9 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/broker/OrganizationOIDCBrokerSelfRegistrationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/broker/OrganizationOIDCBrokerSelfRegistrationTest.java @@ -17,10 +17,31 @@ package org.keycloak.testsuite.organization.broker; +import org.junit.Test; +import org.keycloak.admin.client.resource.OrganizationResource; import org.keycloak.common.Profile.Feature; +import org.keycloak.representations.idm.IdentityProviderRepresentation; import org.keycloak.testsuite.arquillian.annotation.EnableFeature; +import java.util.List; + +import static org.junit.Assert.assertEquals; + @EnableFeature(Feature.ORGANIZATION) public class OrganizationOIDCBrokerSelfRegistrationTest extends AbstractBrokerSelfRegistrationTest { + @Test + public void testMaskedSecretInIDPRepresentation() { + OrganizationResource organization = testRealm().organizations().get(createOrganization().getId()); + List identityProviders = organization.identityProviders().getIdentityProviders(); + + String maskedSecret = "**********"; + + identityProviders.forEach(idp -> assertEquals(maskedSecret, idp.getConfig().get("clientSecret"))); + + identityProviders.stream().map(IdentityProviderRepresentation::getAlias).forEach(alias -> { + IdentityProviderRepresentation rep = organization.identityProviders().get(alias).toRepresentation(); + assertEquals(maskedSecret, rep.getConfig().get("clientSecret")); + }); + } }